Steps to replicate the issue (include links if applicable):
MediaWiki-extensions-FlexDiagrams
#Mermaid
Using Flex diagrams, it is possible to retrieve a users CSRF token and perform actions on a users account.
On the page https://cheekyfactor.com/wiki/index.php/Mermaid:Test_page I have created a Mermaid diagram using:
sequenceDiagram
participant Alice <u>test</u><img src=x onerror=alert(document.domain)>foo
What happens?:
As can be observed, the alert popup indicates it is possible to inject and execute attacker-controlled JavaScript.
This could allow an attacker can also retrieve the victim's CSRF token and perform action on behalf of the victim's account, to demonstrate the scenario the researcher has provided payload that creates a new page using victim's account
What should have happened instead?:
It shoudn't run Javascript
Software version (skip for WMF-hosted wikis like Wikipedia):
Product Version
MediaWiki 1.39.5
PHP 8.1.26 (litespeed)
MySQL 5.6.23-cll-lve
ICU 63.1
Lua 5.1.5
Pygments 2.11.2
Mermaid 3.1.0
Flex Diagrams 0.5.1
Other information (browser name/version, screenshots, etc.):
This could allow:
- Session Hijacking: An attacker might be able to steal the user's cookies if no proper flags are set. As an example, the "HttpOnly" flag.
- User Impersonation: An attacker might be able to interact with user data or settings and in certain scenarios bypass the CSRF protection by deploying a payload that retrieves the CSRF token automatically and submits legitimate requests to the endpoint.
- Client-Side Attacks: An attacker is also able to inject a JavaScript payload that interacts with the victim's browser allowing for the delivery of exploits and thus affecting the end user's perimeter.